|
|
a9a453109c
|
security: critical auth fixes, test migration to SQLite+FK, 44 test fixes
CRITICAL (CVE-class):
- C-4: Remove DEV_MODE fallback with hardcoded postgres:postgres credentials
- C-3: WebSocket endpoints now require JWT or API key token (?token=) auth
- C-1: Superset environment passwords encrypted via Fernet at rest in DB
- H-4: SESSION_SECRET_KEY separated from JWT AUTH_SECRET_KEY
- H-1: Log injection via %s-formatting instead of f-strings
- H-5: X-Trace-ID header validated as UUID4 to prevent trace poisoning
INFRASTRUCTURE:
- New src/core/encryption.py — EncryptionManager extracted from llm_provider
- Test DB: per-module sqlite:///:memory: with PRAGMA foreign_keys=ON
- testcontainers PostgreSQL via TEST_DB=postgres env var
- conftest temp-file global engine (no 10GB shared-cache leak)
TEST FIXES (44 pre-existing → 0):
- test_smoke_plugins: module-level sys.modules mock isolated to per-test fixture
- test_migration_engine: EXT:Python:uuid → uuid syntax fix
- test_dashboards_api: mock env attributes + correct patch target
- test_constants_audit_fixes: sync expected constant names with actual
- test_defensive_guards: patch.object instead of module-level Repo mock
- test_clean_release_cli: removed empty config.json directory
- FK violations: TaskRecord parents in log_persistence, Environment in
mapping_service, ReleaseCandidate in candidate_manifest_services
ORTHOGONAL TESTS (18 new):
- test_security_orthogonal.py: bcrypt 72-byte limit, unicode, API key
format invariants, Fernet robustness, encryption key lifecycle,
log injection protection, JWT edge cases
MODEL FIXES:
- MetricSnapshot.job_id: nullable with SET NULL (was broken FK for
aggregate prune snapshots, hidden by SQLite)
CLEANUP:
- Removed stale :memory:test_main/test_auth/test_tasks file databases
- Removed duplicate #endregion in encryption_key.py
|
2026-05-26 14:58:49 +03:00 |
|
|
|
7f96a983a9
|
[
{
"file": "backend/src/api/routes/__tests__/test_dashboards.py",
"verdict": "APPROVED",
"rejection_reason": "NONE",
"audit_details": {
"target_invoked": true,
"pre_conditions_tested": true,
"post_conditions_tested": true,
"test_data_used": true
},
"feedback": "All 9 previous findings remediated. @TEST_FIXTURE data aligned, all @TEST_EDGE scenarios covered, all @PRE negative tests present, all @SIDE_EFFECT assertions added. Full contract compliance."
},
{
"file": "backend/src/api/routes/__tests__/test_datasets.py",
"verdict": "APPROVED",
"rejection_reason": "NONE",
"audit_details": {
"target_invoked": true,
"pre_conditions_tested": true,
"post_conditions_tested": true,
"test_data_used": true
},
"feedback": "All 6 previous findings remediated. Full @PRE boundary coverage including page_size>100, empty IDs, missing env. @SIDE_EFFECT assertions added. 503 error path tested."
},
{
"file": "backend/src/core/auth/__tests__/test_auth.py",
"verdict": "APPROVED",
"rejection_reason": "NONE",
"audit_details": {
"target_invoked": true,
"pre_conditions_tested": true,
"post_conditions_tested": true,
"test_data_used": true
},
"feedback": "All 4 previous findings remediated. @SIDE_EFFECT last_login verified. Inactive user @PRE negative test added. Empty hash edge case covered. provision_adfs_user tested for both new and existing user paths."
},
{
"file": "backend/src/services/__tests__/test_resource_service.py",
"verdict": "APPROVED",
"rejection_reason": "NONE",
"audit_details": {
"target_invoked": true,
"pre_conditions_tested": true,
"post_conditions_tested": true,
"test_data_used": true
},
"feedback": "Both prior recommendations implemented. Full edge case coverage for _get_last_task_for_resource. No anti-patterns detected."
},
{
"file": "backend/tests/test_resource_hubs.py",
"verdict": "APPROVED",
"rejection_reason": "NONE",
"audit_details": {
"target_invoked": true,
"pre_conditions_tested": true,
"post_conditions_tested": true,
"test_data_used": true
},
"feedback": "Pagination boundary tests added. All @TEST_EDGE scenarios now covered. No anti-patterns detected."
},
{
"file": "frontend/src/lib/components/assistant/__tests__/assistant_chat.integration.test.js",
"verdict": "APPROVED",
"rejection_reason": "NONE",
"audit_details": {
"target_invoked": true,
"pre_conditions_tested": true,
"post_conditions_tested": true,
"test_data_used": true
},
"feedback": "No changes since previous audit. Contract scanning remains sound."
},
{
"file": "frontend/src/lib/components/assistant/__tests__/assistant_confirmation.integration.test.js",
"verdict": "APPROVED",
"rejection_reason": "NONE",
"audit_details": {
"target_invoked": true,
"pre_conditions_tested": true,
"post_conditions_tested": true,
"test_data_used": true
},
"feedback": "No changes since previous audit. Confirmation flow testing remains sound."
}
]
|
2026-02-27 09:59:57 +03:00 |
|